There are many methods and techniques used to verify the identity of a person during a face-to-face transaction. One method is to compare the person's facial characteristics with an authenticated picture on a validated document. For instance, many businesses require the identity of a patron presenting a check to by validated by a driver's license which includes a photograph of the individual. Similarly, passports and identification cards issued by state or federal agencies are used for verification of the identity of the individual.
Another popular method of verifying the identity of an individual during a face-to-face transaction is through written signature comparison. Many of the previously mentioned documents such as driver's licenses, passports and identification cards also include a written signature of the holder. By comparing the signature on these identifying documents with a written signature signed in the authenticator's presence, the identity of the person may be verified as represented by the document. Other methods of verifying a person's identity are through other biometrics such as fingerprints, distinctive patterns in the retina of the eye, identifying characteristics of hands, and the manner in which an individual grasps a writing instrument. Each of these methods requires specialized hardware or that the authenticator possesses specialized knowledge. While each of these methods can be used to authenticate the identity of a person for a face-to-face transaction, other methods are required to verify a person's identity for remote transactions. Remote transactions for this purpose are defined to be those transactions in which the individuals conducting the transactions are not face-to-face. Examples of remote transactions include transactions over the telephone, computer transactions over an internet or intranet, and similar transactions.
Authentication of an individual in remote transactions typically relies on information purportedly unknown to anyone besides the individual whose identity is being authenticated, e.g., a secret. Information used to authenticate the identity of an individual may include the maiden name of the mother of the individual, social security number, address, zip code, account information such as an AMERICAN EXPRESS®, MASTERCARD®, or VISA®, home telephone number, or unique personal identification number (PIN). With the advent of the Internet and the information available over the Internet, many of these previously acceptable methods of identification are becoming obsolete. Once public information such as the maiden name of the mother of the individual, social security numbers, addresses, zip codes, telephone numbers, and similar information may be accessed over the Internet, this information can no longer be used to verify the identity of an individual.
Two methods of determining an individual's identity without relying on the use of publicly available information for remote transactions include electronic signatures and PINs. For instance, if an individual wanted to access their bank account information via the Internet, the bank may require an electronic signature be sent to the bank to be used to authenticate the identity of the person performing the transaction. Heretofore signatures for remote transactions required specialized hardware on the computer system at which the user performs the transaction; i.e., attempts by users to provide repeatable signature using a mouse or similar pointing device have been unsuccessful. Instead, an electronic pen and a tablet or similar specialized hardware have seen required at the computer terminal being used for the transaction by the individual. Even this method of verification of the identity of a user is not foolproof because electronic signatures may be stored and sent when requested by an individual trying to impersonate another individual. The storage of the electronic signature may be performed on the computer used by the individual for the transaction or by other machines or computers which intercept the electronic signature as it is communicated from the user to, in this example, the bank or other financial institution.
Validating the identity of an individual by using PINs suffer similar drawbacks. When individuals choose personal identification numbers they typically use small number of predictable numbers correspondence to, for example, their birth date, portions of their Social Security number, a loved one's birth date, an anniversary date, a date of a significant event to that individual, or some other easily remembered number. While the selection of these numbers or groups of numbers allow the individual to recall the PIN easily, the association of the numbers with the individual reduces the associated security. Many systems requiring authentication attempt to minimize access by impersonators by limiting the number of attempts accepted from an individual. Many automatic teller machines (ATM) are programmed to confiscate bank cards after three attempts to access the information with incorrect PINs have been attempted. Additional problems with PINs are present when PINs are retained in computer systems. Electronically transmitted PINs may also be obtained by unauthorized individuals and used for later access attempts.
For many transaction over an internet or intranet authenticating an individual's identity is also important. Examples of instances in which the identity of an individual should be authenticated include online banking, purchases via the Internet or an intranet, access to non-public databases or information, access to medical records, remote access to computer systems, e-commerce, e-banking, business-to-business (B2B) transactions, business-to-consumer (B2C) transactions, e-learning, e-training and similar circumstances. In an effort to minimize the amount of hardware require at the computer system used by the individual to access the secured information, many of these sites required the individual being authenticated to enter a PIN as their access code.
One method to alleviate concerns with PINs includes the generation of a random number for the PIN used to authenticate the individual. Random numbers assigned to individuals create other problems in that individuals typically have a difficult time remembering these random PINs. To allow access to these protected systems these individuals may write these PINs down, and store them in their daily planners, on their calendars, in their wallets or purses, or similar locations. By writing these randomly generated PINs down the security of the overall system may be compromised and another individual may gain access to these protected systems by obtaining the recorded PINs.
With increasing computer power, methods incorporating electronic signature or digital signature recognition and authentication systems have been advanced. Such systems typically include an input device such as a digitizing pad or tablet to capture and digitally sample the written signature image and/or a biometric feature of the written signature in various ways to compare the new signature to a previously-stored “authentic” exemplar signature. Currently, written signature authentication solutions fail to provide an effective and particularly reliable signature authentication/verification system which may be readily commercially implemented. Furthermore, with the increasing use of the Internet for a myriad of applications and transactions, accurately and reliably verifying a signature on-line is particularly desirable.